Re: [exim] SNI and DANE TLSA record monitoring

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jeremy Harris
Date:  
À: exim-users
Sujet: Re: [exim] SNI and DANE TLSA record monitoring
On 19/10/16 19:02, Felipe Gasper wrote:
> I’m probably missing something here … how do you get STARTTLS clients to accept/request the correct hostname for TLS when there is only one TLS-secured FQDN?


There is no necessary connection between the hostname of either an MX
or an MSA for a domain.

The one is found using DNS MX lookups, the other either by static
configuration of the MUA or by DNS SRV lookups.

Use of TLS is neither here nor there, in finding the right host
to contract. One might prefer to have a server certificate
with a CN or SAN that matches its name in the DNS, if using
TLS, for authentication (assuming a shared trust-anchor),
but even that is independent of having encryption.
--
Cheers,
Jeremy